HKCert
Security Blog

Beware of Crypto Ransomware

Release Date: 04 / 05 / 2015
Last Update: 14 / 12 / 2016

3 ransomwares claimed with decryption solutions - click here

 

 

 

Since 2015, Hong Kong Computer Emergency Response Team Coordination Center (HKCERT) noticed an increase of incident reports requesting assistance on handling crypto ransomware. It has then become one of the major threats in Hong Kong.
Crypto ransomware seriously affected business operations in SMEs and organizations in Hong Kong. To increase the awareness of information security, HKCERT provided information about ransomware on the infection and impact.

 

Crypto Ransomware

 

 

Crypto ransomware is a type of malware that attacks by encrypting the victim’s files to hold data as hostage. The ransomware encrypts files, or sometimes the whole harddisk located in the affected machines, as well as the files on connected external devices or network drives. The victim is denied of access to the data until the attacker provides the decryption key. The attacker demands ransom payment in return for a decryption key to recover the data.

 

 

Fig 1) CryptoLocker  and CryptoDefense demanding ransom payment

 

Infection Vector

 

 

Crypto ransomware typically infects computers via the following ways:

  1.  Spam email
    Some victims were infected by opening attachments in spam emails. Known file types of malicious attachments include compressed file (.zip) containing executable files (.exe) or javascript files (.js), and macro enabled Microsoft office files. The spam email campaign was usually generated by botnets.
  2. Compromised websites
    Some victims were infected by visiting compromised websites. Those websites target computers with unpatched system or applications, including browsers and plugins.
  3. Malvertising
    Malvertising is the short form of malicious advertising. Some victims were infected by visiting legitimate websites that display malicious banner ads.
  4. Remote access
    Some ransomware tries to use password brute force attack on remote access service, e.g. remote desktop or Team Viewer to penetrate into the data repository to launch attack.
  5. Self-propagation
    While most Crypto ransomwares are Trojan that do not spread by itself, some evolved to have propagation ability. Once a ransomware infected a computer, it will try to infect other devices through networks and USB drives etc.
     

Malware’s Operation

 

Ransomware encrypts the local and network shared files with strong encryption. Targeted file types includes documents, images, videos, editable drawing files, database files, digital certificates, game profiles, etc.

 

After the encryption, the malware will send the encryption key back to the control and command server (C2 server), and leaves an extortion message on the infected computer. It demands a specified amount of ransom in bitcoins to exchange for the decryption key, otherwise, the unique decryption key will be deleted.

 

Due to the use of strong encryption algorithms in ransomware, the encrypted files cannot be recovered in the absence of the decryption key.

 

 

Fig 2) CryptoWall and CTB-Locker demanding a ransom payment

 

Incident handling of crypto ransomware infection

  1. Isolate and disconnect infected machine immediately to avoid further impacts the malware may cause.
  2. Download Microsoft Safety Scanner (http://www.microsoft.com/security/scanner/) ^, and run a full scan to remove the malware.
  3. Restore the files and data from the backup, if backup files are available.
  4. If no backup was done previously, we suggest not restoring the system to avoid losing information required for decryptions.

 

Prevention

  • Beware of suspicious email. Do not open the attachment, especially compressed files (zip) or executable files (exe)
  • Install security software and update to the latest signature. ^
  • Update the system and software, such as Microsoft Windows, Office, Adobe reader, Flash player, etc., with the latest security patch
  • Backup the important documents instantly and regularly. Keep an offline copy of the backup to avoid being affected by the malware.
  • If you are using cloud backup service, make sure that the cloud service provider has a version history function. It can help to recover the files from previous version, even though the affected files are synchronized to the cloud.

 

For additional information about data protection on PC, please refer to https://www.hkcert.org/my_url/guideline/08092303

 

 

FAQ 1: If no backup was down previously, can the affected files be recovered?

 

In general, the affected encrypted files cannot be recovered because ransomware uses strong encryption algorithm. There is a chance to recover the files only with the following conditions.

 

1. Using Windows and Shadow Volume Copy Service enabled

If users were infected with the older crypto ransomware which did not remove the shadow copy file, users may try to recover the files through the Shadow Copy (please refer to https://technet.microsoft.com/en-us/library/cc738819(v=ws.10).aspx). However, most newer crypto ransomware deletes the Shadow Copy after the infection, causing the recovery attempt a failure.

 

2. Ransomware decryption keys are made available by some ways

  1. Some information security company and organization took down the C2 servers of crypto ransomware and retrieved decryption keys inside the servers. They also provide decryption platform for users to upload the affected files to match a correct decryption key to recover their files.
    1. CoinVault decryption website: https://noransom.kaspersky.com/ ^
  2. The criminal behind the ransomware disclosed the decryption keys. For example, TeslaCrypt’s owner announced an end to Teslacrytp and disclosed the keys. Some security researchers developed tools to decrypt the files
    1. TeslaCrypt decryptor:
      http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ (by ESET) ^
      https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221#collapseOne (by Trend Micro) ^
      http://www.talosintel.com/teslacrypt_tool/ (by Cisco Talos)^
  3. The ransomware has flaw by design. Security researchers cracked the ransomware and developed decryptor, for example earlier version of CryptXXX can be cracked.
    1. CryptXXX (usually with file extension .crypt, .crypz or .cryp1) decryptor:
      https://support.kaspersky.com/viruses/disinfection/8547#block1 (by Kaspersky) ^
      https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221#collapseOne (by Trend Micro) ^
  4. The National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security initiated a websites to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
    www.nomoreransom.org/index.html

FAQ 2: Can I recover the files if I pay the ransom?

 

HKCERT does not receive any report about the success in data recovery after paying the ransom and getting a decryption key from the attackers. Moreover, it is probable that the crypto ransomware C2 servers were taken down. Although the ransom is paid, the decryption key cannot be obtained.

If you pay the ransom, you are funding the attackers to develop more ransomware attacks. The payment is also an indicator and incentive to the attacker that certain party or industry sector is more willing to pay the ransom.
 

 

FAQ 3: Does crypto ransomware only infect Windows?

 

No. While most of the crypto ransomware infection were occurred in Windows, there were some crypto ransomware moved the target to network attached storage (NAS) and Android devices. In addition, an information security researcher found that a new crypto ransomware variant can execute in 64-bit platform. The researcher believes that crypto ransomware is capable to infect other 64-bit platforms, like Linux and Mac OS, in the future.

 

NOTE ^: Before installation of the software or using the service, please visit the vendor website for more details.

NOTE: Due to the frequent appearance of new variant crypto ransomware, please contact your security software or anti-virus software vendors for more detail on detection and removal function.

 

HKCERT issued alerts and articles about crypto ransomware :